Sakura Room (OSINT)

512153b91b948fd2aeaaa0126954e352.png
ecef0631691365f2cbf25b848df425d6.png

In this CTF, I will have to use OSINT techniques to conduct an investigation on a cybercriminal. The evidence left in the cyberattack will be used to identify the identity of the hacker. Let's begin!


Tip-Off

4e15d1ffd46b9fbed3fa5ab323ec1001.png
The first piece of evidence left behind by the hacker is the image shown above. By the looks of it, this image is of type svg file format. Meaning, there could be useful metadata.

c5aefb5d336287b7f25acb64bd6c2c96.png
Viewing the source-code of this webpage and the image returns the interesting information shown above. There is an interesting username called SakuraSnowAngelAiko. The directory of where this image was saved also gives away the username, maybe it is the hacker's handle?

80f1e31731ad85edb8c07616188376cf.png
I saved the image and ran exiftool on it. Using the command exiftool -a -u sakurapwnedletter.svg, I obtained the same interesting metadata shown above. Time to search for this username on the Internet to identify any digital footprint.


Reconnaissance

88bdced9cba27786cb6907049c2058f4.png
Searching for the username using the terms "SakuraSnowAngelAiko" and @SakuraSnowAngelAiko I obtained multiple interesting results. I managed to find an interesting GitHub profile and a Twitter account. Could this be our target? The target's Github profile is shown above. There are multiple interesting repositories.

681a8c00e50aa1473e8bcc420d77e4a6.png
I also located a PGP public key belonging to this user at the same GitHub profile, as shown above.

e6bb79472506f2caac574ed371f2f1e4.png
I copied the PGP key to my machine with the filename as key, and used the command pgp key to obtain the result shown above. The hacker's email address is SakuraSnowAngel83@protonmail.com. Using Wayback Machine and checking the Github profile, I did not find anything useful. Time to look at the Twitter account now.

34aba5e933fb0a526f0db9a00bed35fe.png
Searching for the hacker's handle on Google leads me to the Twitter account shown above. By the looks of it, the hacker's first name is Aiko. This user has made many tweets.

1a1a6d01db12db8ee83068e370015fd3.png
One of the tweet contains another Twitter profile by the username aikoabe3. Could the hacker's full name be Aiko Abe?


Unveil

2ae865a5a0de41287b1d7be048e5bf0c.png
From previous reconnaissance, I noticed the hacker is interested in cryptocurrency. There is a repository at their GitHub account called miningscript. The result of this repository is shown above. By the looks of it, the hacker could potentially have an Ethereum wallet.

ca2836854cf02390248cfb6335798447.png
I checked the history of this repository and obtained the crucial information shown above. Two commits were pushed to this repository. Maybe the older commit has sensitive information?

5f0da44a0f7b05fe015f960347ec8087.png
And bingo! Now I have an Ethereum wallet address, as shown above. The hacker's wallet address is 0xa102397dbeeBeFD8cD2F73A89122fCdB53abB6ef. I can use tools like Etherscan.io to view all transactions made by this address, as it uses Blockchain technology.

2097b647aff2efafbd6d175b1898a479.png
The wallet is shown above. The hacker seems to have some money in their wallet. Time to check the transactions now.

8aff2bf463f729884320cc02c6a7403b.png
A total of fourty transactions were made by this wallet. The hacker seems to use the mining pool Ethermine the most to receive payments.

b7fcc32da04ca91dc02cad9246283e3a.png
Some transactions were also made by using Tether, as shown above.


Taunt

8fb0cafc69220d501ef8a7931ac1f865.png
Another piece of evidence left behind by the hackler was the taunt screenshot, shown above. They mention they are already heading home. Maybe we can identify this person's home by their tweets and images? Also, it does not help that they are giving away their Wi-Fi and passwords...

e9195367297c3383e997454e83f9acfb.png
There are two onion addresses, as shown above. The older tweet contains the original address. The second tweet contains the updated address.

81b9fca2b77f299086a5e4d07b1a46d9.png
Visting the new address using tor displays the webpage shown above. In the image above, there is a Wi-Fi name by the string Home WiFi. The name of this AP is DK1F-G. Now I can use the website Wigle to identify the location of this AP, which is their home.

4ac3ddaeec03df73fc4b6ebfecedfce1.png
Searching for DK1F-G on Wigle returns the result shown above. There is one AP with the BSSID of 84:AF:EC:34:FC:F8, as shown above. Is this the attacker's home Wi-Fi? I even have the map coordinates. On the map, it is located in Japan.


Homebound

c8443ecf72e410bbf69fe7fcaad7408d.png
f01fdd6ac8bb346846bb8f2837b30cb6.png
The two images gives me more clues. The closest airport from prior to getting on their flight is dca. And the hacker had their last layover in hnd. This can be found by reverse searching the images.

84d629e1f065112eab7cc076962fc12c.png
The hacker made the tweet above in the past. In the map, there is a lake. They claim they are close to home. Maybe I can identify the name of the lake? And after some research, I identified the lake name is Lake Inawashiro.

59464f5d2533f560f02cbf7a9b082068.png
I searched for the coordinates 40°36'19.9"N 140°27'38.4"E, found on Wigle, on Google Maps and obtained the result shown above. It looks like the hacker lives in the city Hirosaki with the red pinpoint shown above on the map.